Proper management of sessions between users and a server over a computer network is important, for example, in regulating network availability of server resources and data. Those users who have entered into a session with a server are generally timed out (e.g., the user session is terminated) after a period of inactivity so that such server resources and data may be made available to other users on the network.
Most session timeout policies, as currently practiced in many business network environments and over very large public networks such as the World Wide Web, are actually very old in their thinking. They generally dictate that a user session should automatically timeout after anywhere from ten to twenty minutes of inactivity, on the general assumption that the user has left their terminal and/or intends to abandon the session. In those instances where the session involves the transfer of confidential or sensitive information (e.g., financial data of the user), there is a further concern that such information may be exposed to other parties on the user's terminal in the user's absence. Consequently, this provides a further motivation to simply timeout the user session, thereby eliminating the display or usefulness of the information entered by the user.
These prolific timeout standards may be described as embodying a “3270-centric” view of the networking world, in reference to the IBM 3270 terminal communications originally developed in the dawn of network computing to manage remote terminal communications with a mainframe computer. Since that time, there have been vast improvements in the speed and security of network communications and the functionality of remote terminals. However, the original general session timeout standards remain. As a consequence, in present network management applications, there is no recognition that a user's terminal or computing device can provide relevant data to a server, such that intelligent decisions can be made as to when to automatically timeout a session. There's also no notion that the security features found on most computing devices can be leveraged to contribute to such automated decision-making.
Outdated session timeout policies can cause problems for employees, customers, and other types of network users, who use some network applications and then may switch to a different application for a period of time, or temporarily have to leave or discontinue use of their terminal. When a user returns to the network session, she very often finds that the session has timed out, thus deleting any data previously entered, and that it is now necessary to log on to the server again and re-enter such data. This common result can be a major nuisance for users, and negatively affects both their productivity, as well as their perceptions of the usability of any systems that behave this manner. In a public environment, such as the Internet, an online merchant may frequently and needlessly frustrate its customers by employing such outmoded timeout standards on its web site, and perhaps even inadvertently dissuade many potential customers from using the web site.
Accordingly, there is a need for a method and apparatus for managing network sessions that addresses certain problems of existing technologies.